South Korea Fines Worldcoin Entities $0.83 Million for Privacy Violations

Seoul, South Korea - The Personal Information Protection Commission (PIPC) has imposed fines totaling KRW 1.104 billion ($830,000) on the Worldcoin Foundation and Tools for Humanity Corporation (TFH) for violating personal information protection laws.

The PIPC's investigation, launched in February following complaints and media reports, found that the entities collected iris information from 29,991 South Korean users without proper consent and transferred personal data overseas without adhering to legal requirements.

Worldcoin Foundation was fined KRW 725 million ($545,000), while TFH received a penalty of KRW 379 million ($285,000).

The fines were primarily based on violations related to sensitive information processing and international data transfers

The regulator's decision came after its 16th plenary session, where it also ordered corrective measures, including:

• Obtaining separate consent for sensitive information processing
• Ensuring data deletion upon user request
• Limiting data use to the original purpose of World ID authentication
• Implementing age verification procedures for the World App2

The PIPC's investigation revealed that 93,463 South Korean users had downloaded the World App, with nearly one-third proceeding to iris authentication.

Worldcoin argued that iris codes were anonymous and secure, citing the application of advanced technologies in their processing.

However, the PIPC determined that the iris codes constituted sensitive biometric data under Korean law, given their unique and immutable nature.

The commission noted that the iris codes function as identifiers and are internally linked to World IDs, making them personal information subject to protection under the law.

While imposing penalties, the PIPC did not outright prohibit the processing of sensitive information, provided the entities comply with the mandated corrective measures.

The regulator emphasized the growing importance of safeguarding sensitive biometric data and managing international data transfers in the expanding AI and digital economy.

It stated that businesses must be increasingly aware of their obligations under data protection laws as biometric data and cross-border data flows continue to rise. T

The PIPC pledged to monitor new technologies and services to protect personal information rights while allowing innovation.

This case marks a significant regulatory action in the intersection of cryptocurrency projects and data privacy, potentially setting a precedent for future oversight in the sector.